Slashdot Mirror
Gawker Media To Require Commenters' Facebook, Twitter, Or Google Logins
First time accepted submitter wynterwynd writes "In a move that seems to be in line with Gawker Media founder Nick Denton's opinion of his sites' commenters, some Gawker Media sites are now instructing their commenters that they will have to link their Gawker commenter ID with their Facebook, Twitter, or Google accounts in order to log in. Is this really a good idea, considering the security issues Gawker has had in the past? Per the article, for 'security purposes' Gawker is 'putting our account security layer in the hands of some of the best in the business — major sites with more security expertise and resources than anyone else on the web.' To my mind, it's hard to see this as anything but a grab to milk Gawker commenters' social networking accounts for targeted ad revenue — which really shouldn't be a surpirse considering Denton's contempt for most of the Gawker community. Is this a step too far for an online community? Is it a cash grab or a genuine effort to encourage secure and responsible posting?"
Add Gawker to the same list the New York Times is on. That is, "pass."
I already don't comment on most sites which require a login (/. is an exception) -- but I can't even imagine wanting to link my personal social media account with a commenting account. What a horrible idea.
The privacy issues alone are a big deal, but sometimes you want to say something that you can't have directly linked back to yourself (for various reasons). I'm not defending criminal activity or hate speech, but I could think of examples where expressing your view could cause issues because of your religion / country of residence / association with others etc.
Call me naive, but I have no idea why websites like using other social networks for authentication. Is there something so secure that I can trust Facebook with any and all logins and passwords for not just me, but all my users?
Yes, FB and Google have two factor authentication as options, but when it comes to making sure my users have basic security, I'd rather pack my own parachute, and have a dedicated appliance store username/password hashes so if someone owns the rest of my boxes, they can't just scoop out passwords that can be used at other sites.
Maybe this can be a market niche -- a site offering not just OpenID, but a custom API like the old Microsoft Passport allowing people to authenticate from that site, optionally using an app or SecurID key fob.
I refuse to link facebook or twitter or any other account that has my real name. If I can't login under an Email handle/alias then I simply don't post on that website.
Sorry gawker. You lost my business/ad views.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
The summary, as you might expect, is a little off.
What's happening here is that Gawker is switching from its own account system to using the accounts of existing social services (Google, Facebook or twitter). This is not them asking for your account but rather asking you to AUTHORISE gawker's access to your account details. If this is an issue, please go talk to Disqus or even Twitter/Facebook/Google themselves, who also let you "link" accounts from other services, as well as a bunch of other sites. This is the way the web is going and is nothing new.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Just because you let Google handle the login doesn't mean Gawker gets anything more from you than an email address which you were already obligated to provide in the past. And since Gmail is already great at handling spam, there is precious little opportunity for Gawker to profit from this by selling your email address. Spamming Gmail accounts is already a fools errand.
At least in Google's case, they glean nothing either, other than the fact that you use Gawker, but any advertising revenue that comes to google via that knowledge goes to Google, and not Gawker. All they provide Gawker is a YES or NO answer when you ask to log in.
Given the rapidity with which one can create gmail/facebook/twitter accounts it won't assure "secure and responsible" posting either. Its easy enough to have an account that is reserved for such postings, even one per web-site if you want.
All this does is allow Gawker to off-load all user account stuff to some other entity, making them less of a hacking target, because there will be Nothing Much There to Gain. (Some would say this is an attribute of Gawker Media in general.) Having one less web site holding my passwords in an insecure database is a plus as far as I am concerned.
Sig Battery depleted. Reverting to safe mode.
I really wish someone would buy Lifehacker. I really like it but not Gawker.
Coder's Stone: The programming language quick ref for iPad
So what about those like me, who don't have an account on those social sites?
Nothing like gawker having been hacked before to highlight how bad this is, as appropriately noted.
How is this "bad"?
Do you understand what is being discussed here? Gawker is not asking for your password for Google/Twitter/Facebook.
Rather, the ask Google (for example) to authenticate you, and Google answers YES, or NO, and never lets Gawker see your password.
Sig Battery depleted. Reverting to safe mode.
I'm on the Internet where I'm going to sign up for Facebook, Twitter, Gawker, ETC, let them all build a marketing profile off me, let them build a record of my email addresses and friends/associations, allow them to build a psych profile, allow them to determine my worth, and finally I'm going to give them all that for free.
Goldman Sachs referred to their clients as "muppets" I wonder what the above refers to their customer as...
"If any question why we died, Tell them because our fathers lied."
Gawker already uses tracking from Google, Facebook, Quantcast, Dedicated Networks, Comscore Beacons, Google Analytics, ChartBeat, DoubleClick, Parse.ly, New Relic. (Abine.com has a tool to detect and block such things.)
Now Gawker wants an anal probe, too?
> I have no idea why websites like using other social networks for authentication
It's just a way to remove a barrier to entry. Everybody already has a Facebook, Twitter, or Google ID. It's easier (and arguably more secure) to authenticate through one of those services than to ask the user to make and remember yet another set of credentials. There are other reasons as well, but this one is a biggie.
Didn't you read TFS?
Gawker is "putting our account security layer in the hands of some of the best in the business — major sites with more security expertise and resources than anyone else on the web."
You can rest easy, HBGary is on the case!
"When information is power, privacy is freedom" - Jah-Wren Ryel
No, it's not what they assume. It's what actually happens.
Exactly right. Nothing like a shitty summary to get the crowd all up-in-arms, though.
on telling us your devs are not capable of doing their jobs and letting me know I can't use your site because I don't want to use any of the social sites.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
There are many good reasons. If I were building a new web site from the ground up, I'd probably only allow Google/FB authentication. If I had an existing web site with local authentication, I might switch and I'd definitely prefer Google/FB auth.
You have to analyze the decision from a business/marketing perspective. Site specific logins are a barrier to using any web site. If it is just one click to login with Google/FB you will get a lot more users, it's as simple as that. And returning users have a big barrier to remember username and secure password, particularly if you put onerous restrictions on password strength.
Then there are other softer costs. Managing passwords is troublesome, sometimes requires customer service to intervene or lose users. If you get hacked, you'll have a PR nightmare. Security is hard, better to let someone else with a dedicated staff do it.
And that doesn't even go into the benefits of using social network authentication, like being able to better quality information about those users and get them to draw other users from their network in.
Denton: "The idea of capturing the intelligence of the readership — that's a joke."
...
Ok, I admit, I find some interesting stuff on occasion on Lifehacker, but that aside, with the insidiously moronic nature of the typical Kotaku article, churned out 3 or 4 times per hour, who else does he expect to comment on such contrived stories as this:
http://kotaku.com/5567040/star-treks-levar-burton-is-not-pleased-with-e3
Or just posting random unnamed sources with PS4 specs that sound absurd. No one would get into a protracted, irrational debate about that, based on idle speculation
http://kotaku.com/5896996
And here's a real think piece from Gawker.com today:
gawker.com/zooey-deschanel
Can't believe more rocket scientists and doctors aren't jumping in to elevate the conversation...
What is the security risk? All Gawker gets is whether you were authenticated or not. They don't get access to your account or any of the nonsense FUD being spread around.
Just because you let Google handle the login doesn't mean Gawker gets anything more from you than an email address which you were already obligated to provide in the past.
The only situation where that is true is where you previously provided them an email that was already associated with a social networking account (like GMail is). You could avoid providing Gawker with information about your social networking account by using an unrelated email account. No you know longer have that option. You must authenticate using some method which tells Gawker the account you use for social networking. And this is useful information to them. Gawker advertizes on Facebook, this indirectly gives them access to demographics information about the accounts they are advertizing to, which they can now link with Gawker accounts.
All this does is allow Gawker to off-load all user account stuff to some other entity, making them less of a hacking target,
Except research is showing that outsourcing this task is more difficult than people think. Sites that do so are more likely to make a mistake that results in a data breech than those who use their own in-house authentication. Any sort of cross-site integration is tricky from a security point of view, and this is no exception. They haven't made things more secure, they have just introduced another point of failure.
Call me naive, but I have no idea why websites like using other social networks for authentication. Is there something so secure that I can trust Facebook with any and all logins and passwords for not just me, but all my users?
I won't call you naive, just misinformed.
1) Gawker will not know your Google/FB password.
2) You won't have a Gawker password any more.
3) Gawker asks google to authenticate joerandomuser@gmail.com
4) Google pops up a SECURE web page and gathers your gmail password
5) Google sends Gawker a YES or a NO, and possibly your name.
That's it. You have one less password, and you get logged in with what ever gmail account you enter. That gmail account need never be stored on Gawker's server, (unless you ask for notifications of replies or something). Gawker never has any passwords at all.
This makes Gawker less of a hacking target.
It frees Gawker of having to maintain any login system of their own.
It reduces cost.
You still maintain fine grained control of which sites can use this facility (at least with Google via your dashboard).
See https://developers.google.com/accounts/docs/OpenID?hl=pl-PL for an explanation of how it works.
The upshot: You want this. You didn't know how it works, so you rightly mistrusted it. But Its better.
Sig Battery depleted. Reverting to safe mode.
Technically, Facebook's authentication at a minimum gives a lot of personal info to the service. Even the most basic level of Facebook Connect gives them access to a list of your friends, profile information, and so on. So it's a little more than blind authentication.
That's not how OAuth works. The party receiving the authentication (Gawker) doesn't at any point get access to the authentication data (your Facebook / Twitter / Google credentials).
They also don't get access to your Facebook / Twitter / Google session authentication. A consumer of OAuth authentications can't use that authentication token to use any of the authentication provider's services.
No, I don't want this.
It's none of Google's business what I do on Nick Denton's sites. And it's none of Nick Denton's business what my G+/Y!/FB profile was.
If I had any use for Gawker Media, all it means is that I'd have to set up yet another browser profile and associate that with whatever disposable email address I'd originally created for use with his sites.
Anyone who gives a damn about security or privacy issues knows the value of compartmentalization, and ought to be rightfully resentful of any attempt to bridge unrelated accounts.
Everybody already has a Facebook, Twitter, or Google ID.
Not everybody. This infinitely increases the barrier of entry for people like me, who do not have FB or Twitter and is unwilling to use my google ID for anything at all outside of making my phone work.
In this case, there's no loss. The Gawker family of sites are abysmal anyway.
I have increasing contempt for the Gawker content as well - especially Gizmodo, but to a lesser extent Jalopnik. The articles seem to be steadily getting more childish and unprofessional, often with sensationalist headlines and highly opinionated content which tends to draw a raucous comment section. Which, naturally, leads to more page views. Dare to point this out using the same language used in the post and you're banned. That's childish behavior as well. I admit that some of their properties are of higher quality, but the general Gawker enterprise has a whiff of the National Enquirer. It's far less about good blogging, and far more about goofy "look at me" tactics now.